隐私 · Privacy

What we keep, what we discard, and where your input actually goes.

Yanzhi is a hobby project, not a business. There is no analytics SDK, no advertising network, and no ad-supported anything on this site. What follows is the literal data path of each reading.

上传所及 · What you upload

Yanzhi accepts three kinds of input depending on the reading:

Face photos (for 看相, 合相, 颜值 score, and lookalike). The image is processed in memory. We detect a face, compute a small numerical profile from the landmarks (proportions, symmetry indices, categorical 五行 / 三停 / 五官 labels), and discard the original full-resolution upload at the end of the request. We do not write the original to disk and we do not send the original to the language model.
A cropped face thumbnail (~320 px wide, centered on the detected face) is cached in our local SQLite database for 24 hours so that /r/<slug> permalinks can render. After 24 hours the cached thumbnail expires and the row is purged.
Birth date and time (for 八字 only). The form input is parsed locally into the four pillars (eight Chinese characters) and the raw birth datetime is discarded at the end of the request. Only the eight characters and a derived 五行 tally reach the language model. We do not log or store your birth date.

服务器所留 · What we store on the server

Permalink records — the result page for a reading is stored in a local SQLite database for 24 hours so that the /r/<slug> link works for whoever you sent it to. After 24 hours the record expires.
Share-card PNGs — the composed image you can download from the result page is cached for up to 7 days so that link previews on Twitter, WeChat, Slack, and similar services keep working after the reading itself has expired.
Anonymous counters — we keep a non-PII ring buffer of recent errors and per-day counts (how many readings per kind, how many permalinks created, how many revisits). No IP, no user agent, no input content — only the counts. These live in process memory and reset on restart.

本机所留 · What we store on your device

If you complete a reading, Yanzhi writes a small bookmark to localStorage in your browser so the home page can surface your past readings. This bookmark stays on your device. We never receive it. Clearing your site data removes it.

生物识别说明 · Biometric input — BIPA & GDPR Art. 9

We treat the landmark coordinates extracted from your photo as biometric input for the purposes of the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/) and Article 9 of the EU General Data Protection Regulation (special-category data). Specifically:

What we compute: 68 facial landmark points in memory, immediately distilled into a small numerical profile (proportions, symmetry indices, categorical 五行 / 三停 / 五官 labels). No face embedding, no biometric template, no faceprint is generated, stored, or transmitted.
Retention schedule: the 68-point landmark array exists only inside a single HTTP request's Python process memory and is garbage-collected at request end. The ~320 px cropped thumbnail is the only face-derived artifact written anywhere — local SQLite, 24-hour TTL, purged on expiry. We retain zero biometric templates beyond that window and operate no system capable of identifying a face across uploads.
Legal basis (GDPR): explicit consent under Art. 9(2)(a), captured by the in-browser modal shown before your first upload. You can withdraw consent at any time by clearing site data in your browser; we hold no server-side record to delete.
BIPA notice: Illinois residents are entitled to written notice and an explicit retention/destruction schedule before biometric input is collected. This page is that notice; the schedule is "in-memory only, never written to disk, never shared outside the LLM subprocessors named below for the express purpose of generating your reading."

所用大模型 · LLM subprocessors

Reading text is generated by a large language model. Yanzhi currently uses these subprocessors:

DeepSeek (primary) — data-handling policy.
OpenAI (fallback) — API data-usage policy (per the API terms, prompts are not used to train models).
Anthropic (fallback) — commercial terms and privacy center (Claude API inputs/outputs are not used for training by default).

What reaches them is the numerical landmark profile or the eight-character 八字 pillars described above — never your photo, never your raw birth datetime, never your name. We have no data-processing agreement with these providers beyond their standard API terms; treat anything sent as subject to those terms.

不为之事 · What we do not do

We do not run analytics SDKs (no Google Analytics, no Plausible, no Mixpanel).
We do not run ad networks or tracking pixels.
We do not sell, license, or share readings with third parties beyond the LLM providers above.
We do not maintain a per-user account, login, or server-side history.
We do not attempt to identify or re-identify a face from a photo.

永久链接半公开 · Permalinks are public-ish

A /r/<slug> URL is unguessable in practice but not authenticated. Anyone who receives the URL can read the reading until it expires. If you want a reading to be private, do not share the permalink.

联络 · Contact

Questions or requests — including deletion of a specific permalink before its TTL expires — email yanzhi@lishnetwork.com.

Last updated: 2026-05-16.

← 回首页 Home